We run a mixed environment (NT, Solaris, HP-UX, Linux), and are looking to upgrade to Win2K in the near future. We don't want to leave behind the numerous Linux clients we support. What is the preferred method to implement Domain Name System (DNS) and GPOs for network access on such a mixed environment? I guess the root question is "How can we use Active Directory in this environment?" Does it matter on which platform the DNS service is running? Unfortunately I am new at this and charged with making it all work.

Whew. You have a job ahead of you and that's the truth. Forget the technical challenges. You're entering a minefield...

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

of fanatical operational beliefs. Even Salman Rushdie would not envy your position.

Okay, first things first. You can't use Windows 2000 group policies to control anything other than Windows 2000 machines. Policies rely on client-side extensions that are not present on downlevel Windows clients and certainly not on Linux clients.

Picking a DNS server is a matter of your own background and comfort level. If you are familiar with BIND and you are running a version that supports Service Locator Records (SRV) and (optional but preferable) dynamic updates, then by all means use a Linux or Unix server for DNS. If you are more familiar with NT DNS, then you should install a Windows 2000 server and put the primary DNS zones on that server. There are some advantages to using Windows 2000 DNS because you can integrate the zones into Active Directory. This gives you multiple master DNS (contrasted with a single primary master in BIND) and a rudimentary form of secure updates. But neither of these is sufficiently interesting to move away from BIND if that's what you're currently using.

Network authentication is also fairly straightforward. I'm assuming that you're already running SAMBA if you're in a mixed environment. A SAMBA client can authenticate in a Windows 2000 domain using NTLM Challenge-Response, just like a downlevel Windows client. If you want to take advantage of Kerberos authentication, you can configure your Linux/UNIX clients for Kerberos and point them at a Windows 2000 domain controller as a Key Distribution Center (KDC). Unfortunately, this will not give your Linux/UNIX clients full Windows 2000 authorization because only Windows 2000 clients know how to extract the Privilege Access Certificate (PAC) from a Kerberos ticket issued by a Windows 2000 KDC. So when the SAMBA client touches a Windows 2000 member server, it will fall back on NTLM authentication to get a local access token. Take a look in www.dejanews.com at any discussion thread ranting about the PAC and you?ll get a flavor for the problem.

As for other network infrastructure components you use, most of them will be just as happy in a Windows 2000 domain as an NT4 domain. If you?re running NT4 RAS servers, you should upgrade them to Windows 2000 to avoid putting the Everyone group in the Pre-Windows 2000 Compatible Access group to support null logons. Thoroughly test all your applications (especially client/server applications that rely on the underlying Windows authentication infrastructure) to make sure they work fine on Windows 2000. This is especially true of any NFS servers you are running on your NT servers.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy